30694 - [SC - Low] Users approved for a single token id cannot wit...
Description
Brief/Intro
Vulnerability Details
function _isApprovedOrOwner(address _spender, uint256 _tokenId) internal view returns (bool) {
address owner = idToOwner[_tokenId];
bool spenderIsOwner = owner == _spender;
bool spenderIsApproved = _spender == idToApprovals[_tokenId];
bool spenderIsApprovedForAll = (ownerToOperators[owner])[_spender];
return spenderIsOwner || spenderIsApproved || spenderIsApprovedForAll;
}
function merge(uint256 _from, uint256 _to) external {
//...
require(_isApprovedOrOwner(msg.sender, _from), "not approved or owner");
require(_isApprovedOrOwner(msg.sender, _to), "not approved or owner");
// ...
_burn(_from, value0);
_depositFor(_to, value0, end, _locked1.maxLockEnabled, _locked1, DepositType.MERGE_TYPE);
}
function withdraw(uint256 _tokenId) public nonreentrant {
require(_isApprovedOrOwner(msg.sender, _tokenId), "not approved or owner");
// ...
_burn(_tokenId, value);
emit Withdraw(msg.sender, _tokenId, value, block.timestamp);
}
function _burn(uint256 _tokenId, uint256 _value) internal {
// ...
approve(address(0), _tokenId);
// ...
}
function approve(address _approved, uint256 _tokenId) public {
address owner = idToOwner[_tokenId];
// Throws if `_tokenId` is not a valid token
require(owner != address(0), "owner not found");
// Throws if `_approved` is the current owner
require(_approved != owner, "Approved is already owner");
// Check requirements
bool senderIsOwner = (owner == msg.sender);
bool senderIsApprovedForAll = (ownerToOperators[owner])[msg.sender];
require(senderIsOwner || senderIsApprovedForAll, "sender is not owner or approved");
// Set the approval
idToApprovals[_tokenId] = _approved;
emit Approval(owner, _approved, _tokenId);
}Impact Details
Recommendation
References
Proof of Concept
Previous30685 - [SC - Medium] The proposer can be impeded from submitting a p...Next30699 - [SC - High] Permanent freezing of unclaimed ALCX yield when...
Last updated
Was this helpful?